Archive | 2016

Project Wycheproof is a tool to test crypto libraries against known attacks. It is developed and maintained by members of Google Security Team, but it is not an official Google product.

At Google, they rely on many third party cryptographic software libraries. Unfortunately, in cryptography, subtle mistakes can have catastrophic consequences, and they found that libraries fall into such implementation pitfalls much too often and for much too long.

Good implementation guidelines, however, are hard to come by: understanding how to implement cryptography securely requires digesting decades’ worth of academic literature.

They recognise that software engineers fix and prevent bugs with unit testing, and they also found that cryptographic loopholes can be resolved by the same means.

These observations have prompted them to develop Project Wycheproof, a collection of unit tests that detect known weaknesses or check for expected behaviours of some cryptographic algorithm. Project Wycheproof provides tests for most cryptographic algorithms, including RSA, elliptic curve crypto and authenticated encryption.

Features

Project Wycheproof has tests for the most popular crypto algorithms, including

AES-EAX

AES-GCM

DH

DHIES

DSA

ECDH

ECDSA

ECIES

RSA

The tests detect whether a library is vulnerable to many attacks, including:

As the end of the year approaches, it’s natural to contemplate the future and look for signs of things to come. Sometimes, however, you don’t have to search too hard. Sometimes, these “signs” hit you like a ton of bricks.

This is how it was for us when, just ten days before the year’s end, we found ourselves mitigating a 650 Gbps (Gigabit per second) DDoS attack—the largest on record for our network.

This was a fitting end to a year of huge DDoS assault, nasty new malware types and massive IoT botnets. What’s more, it showed exactly where things are heading next on the DDoS front.

The attack began around 10:55 AM on December 21, targeting several anycasted IPs on the Imperva Incapsula network.

It’s hard to say why this attack didn’t focus on a specific customer. Most likely, it was the result of the offender not being able to resolve the IP address of his actual victim, which was masked by Incapsula proxies. And so, lacking any better option, the offender turned his attention to the service that stood between him and his target.

The attacks seems to have started out as an attack on an Incapsula customer and when failing with that, they moved onto attacking the service protecting them directly.

They mitigated the attack very well with minimal impact and it seems no downtime or customer impact.

The first DDoS burst lasted roughly 20 minutes, peaking at 400 Gbps. Failing to make a dent, the offender regrouped and came back for a second round. This time enough botnet “muscle” to generate a 650 Gbps DDoS flood of more than 150 million packets per second (Mpps).

This second burst lasted about 17 minutes and was just as easily countered by our service. Out of options, the offender wised up and ceased his assault.

Both attack bursts originated from spoofed IPs, making it impossible to trace the botnet’s actual geo-location or learn anything about the nature of the attacking devices.

The attack traffic was generated by two different SYN payloads:

Regular-sized SYN packets, ranging from 44 to 60 bytes in size

Abnormally large SYN packets, ranging from 799 to 936 bytes in size

The former was used to achieve high Mpps packet rates, while the latter was employed to scale up the attack’s capacity to 650 Gbps.

Whilst a pretty large attack, it’s certainly not the most persistent with the attacker giving up fairly easily and only using a few limited methods.

Either that, or they were just probing the Incapsula network to see what it could handle and didn’t want to expose their full hand.

January 20, 2019 - 235 Shares

Ettercap is a comprehensive suite for man-in-the-middle attacks (MiTM). It features sniffing of live connections, content filtering on the fly and many other interesting tricks.

It also supports active and passive dissection of many protocols and includes many features for network and host analysis.

Ettercap works by putting the network interface into promiscuous mode and by ARP poisoning the target machines. Thereby it can act as a ‘man in the middle’ and unleash various attacks on the victims. Ettercap has plugin support so that the features can be extended by adding new plugins.

Features

Ettercap supports active and passive dissection of many protocols (including ciphered ones) and provides many features for network and host analysis. Ettercap offers four modes of operation:

IP-based: packets are filtered based on IP source and destination.

MAC-based: packets are filtered based on MAC address, useful for sniffing connections through a gateway.

ARP-based: uses ARP poisoning to sniff on a switched LAN between two hosts (full-duplex).

PublicARP-based: uses ARP poisoning to sniff on a switched LAN from a victim host to all other hosts (half-duplex).

In addition, the software also offers the following features:

Character injection into an established connection: characters can be injected into a server (emulating commands) or to a client (emulating replies) while maintaining a live connection.

SSH1 support: the sniffing of a username and password, and even the data of an SSH1 connection. Ettercap is the first software capable of sniffing an SSH connection in full duplex.

HTTPS support: the sniffing of HTTP SSL secured data—even when the connection is made through a proxy.

Remote traffic through a GRE tunnel: the sniffing of remote traffic through a GRE tunnel from a remote Cisco router, and perform a man-in-the-middle attack on it.

Packet filtering/dropping: setting up a filter that searches for a particular string (or hexadecimal sequence) in the TCP or UDP payload and replaces it with a custom string/sequence of choice, or drops the entire packet.

OS fingerprinting: determine the OS of the victim host and its network adapter.

Kill a connection: killing connections of choice from the connections-list.

Passive scanning of the LAN: retrieval of information about hosts on the LAN, their open ports, the version numbers of available services, the type of the host (gateway, router or simple PC) and estimated distances in number of hops.

Hijacking of DNS requests.

Ettercap also has the ability to actively or passively find other poisoners on the LAN.

January 20, 2019 - 235 Shares

DBShield is a Database Firewall written in Go that has protection for MySQL/MariaDB, Oracle and PostgreSQL databases. It works in a proxy fashion inspecting traffic and dropping abnormal queries after a learning period to populate the internal database with regular queries.

Learning mode lets any query pass but it records information about it (pattern, username, time and source) into the internal database.

After collecting enough patterns we can run DBShield in protect mode. Protect mode can distinguish abnormal query pattern, user and source and take action based on configurations.

It currently supports DB2, MariaDB, MySQL, Oracle & PostgreSQL all with SSL apart from Oracle and DB2.

January 20, 2019 - 235 Shares

A Kiev power outage last weekend in Ukraine has been linked to a cyber attack, which is worryingly similar to an attack that happened around the same time last year.

Sub-stations and transmission stations have always been a weak point for nation-state attacks as EVERYTHING relies on them now. Plus with smart grids and remotely controlled stations, the attack surface for such utilities is increasing year by year.

A cyber attack is suspected in connection with an outage of the Ukrainian power grid that affected homes around Kiev last weekend.

A substation in Pivnichna was cut off from the main power grid for about 75 minutes late on Saturday 17 December, lasting into the early hours of Sunday. As a result, houses and flats of the right bank district of Kiev* and neighbouring areas lost power.

Ukrenergo, a Ukrainian energy provider, said that “hacker attack and equipment failure are among the possible causes for the power failures”, according to local reports.

Moreno Carullo, co-founder and chief technical officer at Nozomi Networks, said, “These reports are reminiscent of an attack experienced at a similar time last December that left 225,000 Ukrainians cold at Christmas. Worryingly, if this does prove to be another cyberattack on the Ukrainian grid, it sets an uncomfortable precedent that similar attacks may occur annually at this time of year.”

The recent outage appears to centre at a transmission substation. These are used to transport electricity over long distances, with its primary function to raise/lower and control the voltage, provide power factor correction to protect from overloads, and perform checks to synchronise power flow between two adjacent power systems. A distribution substation is then used, closer to cities, to carry electricity to users.

“All this equipment (the transmission and the primary distribution substations) are automated and remotely controlled, while smaller ones maybe electro-mechanically operated and are certainly unsupervised,” according to Carullo.

It seems a lot of these stations are pretty old and if they are connected to the Internet (which they seem to be), it’s been retro-fitted. Sadly when such things happen security is rarely a concern or even something discussed.

If they connect their remote control software, it works – and that’s usually the end of that.

“Substations have long been considered a weak point, with respect to cybersecurity, due to their remote location making them difficult to manage and monitor for disruptions. While some are completely disconnected, and are therefore considered safe from cyberattack, others form part of a Smart Grid which means they are part of a fully connected series of systems to allow for improved efficiency of the power grid. However, with Smart Grid connectivity comes increased vulnerability to cyberattacks due to the connected nature of the entire grid,” he added.

A hacker who gains access to internet-connected control panels might be able to disable inverters and fire alarms, triggering blackouts and equipment damage to many households in one time. If hackers did attack Kiev’s power grid – something that’s still the subject of investigation – then Russia will almost inevitably become the chief suspect, given recent (unresolved) conflicts between the two countries.

Alex Mathews, lead security evangelist at Positive Technologies, remains unconvinced that hackers caused the latest power outage in the Ukraine. Equipment failure can’t be ruled out as a cause, he pointed out.

“Power outages in winter time is a pretty common story for ex-USSR territories where the power equipment is old, so it can shut down when people use too many electric heaters, lamps and other appliances,” Mathews said. “Such power outages happen every year, even in big cities like Moscow, Petersburg and Kiev.”

The temperature in Kiev on the day ranged from a -1˚C maximum and a -9˚C minimum.

Let’s hope this isn’t a trend and citizens of Ukraine can avoid getting a nasty shock like this each December in the coldest period of the year.

You also can’t rule out nation-state attacks just testing the resources and reaction times of Ukraine (possibly Russian?).